CernVM-FS  2.13.0
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
signature.h
Go to the documentation of this file.
1 
5 #ifndef CVMFS_CRYPTO_SIGNATURE_H_
6 #define CVMFS_CRYPTO_SIGNATURE_H_
7 
8 #include <openssl/bio.h>
9 #include <openssl/err.h>
10 #include <openssl/evp.h>
11 #include <openssl/pem.h>
12 #include <openssl/rsa.h>
13 #include <openssl/x509.h>
14 #include <pthread.h>
15 
16 #include <cstdio>
17 #include <map>
18 #include <set>
19 #include <string>
20 #include <vector>
21 
22 #include "crypto/hash.h"
23 #include "util/export.h"
24 
25 namespace signature {
26 
27 class CVMFS_EXPORT SignatureManager {
28  public:
29  enum ESignMethod {
30  kSignManifest,
31  kSignWhitelist
32  };
33 
34  SignatureManager();
35 
36  void Init();
37  void Fini();
38  std::string GetCryptoError();
39 
40  void UnloadPrivateKey();
41  void UnloadPublicRsaKeys();
42  void UnloadPrivateMasterKey();
43  void UnloadCertificate();
44 
45  bool LoadPrivateMasterKeyPath(const std::string &file_pem);
46  bool LoadPrivateKeyPath(const std::string &file_pem,
47  const std::string &password);
48  bool LoadPrivateMasterKeyMem(const std::string &key);
49  bool LoadPrivateKeyMem(const std::string &key);
50  bool LoadCertificatePath(const std::string &file_pem);
51  bool LoadCertificateMem(const unsigned char *buffer,
52  const unsigned buffer_size);
53  bool WriteCertificateMem(unsigned char **buffer, unsigned *buffer_size);
54  bool KeysMatch();
55  bool VerifyCaChain();
56  std::string Whois();
57  shash::Any HashCertificate(const shash::Algorithms hash_algorithm);
58  std::string FingerprintCertificate(const shash::Algorithms hash_algorithm);
59  static shash::Any MkFromFingerprint(const std::string &fingerprint);
60 
61  bool LoadPublicRsaKeys(const std::string &path_list);
62  bool LoadBlacklist(const std::string &path_blacklist, bool append);
63  std::vector<std::string> GetBlacklist();
64 
65  bool LoadTrustedCaCrl(const std::string &path_list);
66 
67  bool Sign(const unsigned char *buffer, const unsigned buffer_size,
68  unsigned char **signature, unsigned *signature_size);
69  bool SignRsa(const unsigned char *buffer, const unsigned buffer_size,
70  unsigned char **signature, unsigned *signature_size);
71  bool Verify(const unsigned char *buffer, const unsigned buffer_size,
72  const unsigned char *signature, unsigned signature_size);
73  bool VerifyRsa(const unsigned char *buffer, const unsigned buffer_size,
74  const unsigned char *signature, unsigned signature_size);
75  bool VerifyLetter(const unsigned char *buffer, const unsigned buffer_size,
76  const bool by_rsa);
77  bool VerifyPkcs7(const unsigned char *buffer, const unsigned buffer_size,
78  unsigned char **content, unsigned *content_size,
79  std::vector<std::string> *alt_uris);
80  static void CutLetter(const unsigned char *buffer,
81  const unsigned buffer_size,
82  const char separator,
83  unsigned *letter_length,
84  unsigned *pos_after_mark);
85 
86  // Returns the PEM-encoded text of all loaded RSA pubkeys
87  std::string GetActivePubkeys() const;
88  std::vector<std::string> GetActivePubkeysAsVector() const;
89  // The PEM-encoded private key matching the public master key
90  std::string GetPrivateMasterKey();
91  // The PEM-encoded certificate without private key
92  std::string GetCertificate() const;
93  // The PEM-encoded private key matching the certificate
94  std::string GetPrivateKey();
95 
96  void GenerateMasterKeyPair();
97  void GenerateCertificate(const std::string &cn);
98 
99  private:
100  RSA *GenerateRsaKeyPair();
101  std::string GenerateKeyText(RSA *pubkey) const;
102 
103  void InitX509Store();
104 
105  EVP_PKEY *private_key_;
106  RSA *private_master_key_;
107  X509 *certificate_;
108  std::vector<RSA *> public_keys_;
109  pthread_mutex_t lock_blacklist_;
110  std::vector<std::string> blacklist_;
111  X509_STORE *x509_store_;
112  X509_LOOKUP *x509_lookup_;
113 }; // class SignatureManager
114 
115 } // namespace signature
116 
117 #endif // CVMFS_CRYPTO_SIGNATURE_H_
manifest::Verify
Failures Verify(unsigned char *manifest_data, size_t manifest_size, const std::string &base_url, const std::string &repository_name, const uint64_t minimum_timestamp, const shash::Any *base_catalog, signature::SignatureManager *signature_manager, download::DownloadManager *download_manager, ManifestEnsemble *ensemble)
Definition: manifest_fetch.cc:224
signature::SignatureManager::blacklist_
std::vector< std::string > blacklist_
Definition: signature.h:110
signature::SignatureManager::lock_blacklist_
pthread_mutex_t lock_blacklist_
Definition: signature.h:109
CVMFS_EXPORT
#define CVMFS_EXPORT
Definition: export.h:11
signature::SignatureManager::public_keys_
std::vector< RSA * > public_keys_
Definition: signature.h:108
shash::Algorithms
Algorithms
Definition: hash.h:41
Init
static int Init(const loader::LoaderExports *loader_exports)
Definition: cvmfs.cc:2320
signature::SignatureManager::x509_lookup_
X509_LOOKUP * x509_lookup_
Definition: signature.h:112
Fini
static void Fini()
Definition: cvmfs.cc:2539